Security, GDPR & Data Handling
AES-256 encryption, zero-trust architecture, GDPR rights, EU data residency.
Your Bill of Materials reveals product strategy, supplier relationships, and competitive positioning. Treat that as the crown jewel it is — and assume any tool that handles it is one breach away from costing your company millions. TekPulse is designed around that assumption.
Encryption at rest
- AES-256-GCM with authenticated encryption.
- A per-company key derived from a master key using HKDF-SHA256 — no two companies share an encryption key.
- The master key lives in HashiCorp Vault, accessed only by the BOM service via mTLS.
- TekPulse engineers cannot read your BOMs in the database — they decrypt only at the API layer when you fetch them.
Encryption in transit
- TLS 1.3 enforced on every endpoint. TLS 1.2 and below are rejected.
- HSTS with a 2-year max-age.
- Certificate pinning on critical service-to-service paths.
Authentication
- Passwords hashed with bcrypt (cost factor 12).
- JWT access tokens with a 15-minute lifetime + refresh tokens with rotation on use.
- Rate limiting: 5 failed login attempts per 15 minutes triggers exponential backoff.
- Multi-factor authentication (TOTP) available on Professional and Enterprise — coming to free tier in Q3.
GDPR compliance
TekPulse processes personal data only where strictly necessary (account email, name, IP for security logs). We do not sell, share with advertisers, or use your BOM data to train external AI models.
- Right to access
- Export your account + BOM data from Settings → Profile. Delivered as JSON within 7 days.
- Right to rectification
- Edit your profile directly in Settings.
- Right to erasure
- Delete your account from Settings → Profile → Danger Zone. All data is purged within 30 days.
- Right to data portability
- BOM data exports as CSV and Excel directly from the BOMs page.
- Breach notification
- We notify affected users within 72 hours per GDPR Article 33-34.
- EU data residency
- Optional. Available on Enterprise. Data stored exclusively in EU-region datacentres (Frankfurt or Dublin).
Operational security
- Sentry monitoring on every service for real-time error detection.
- Daily encrypted backups, 30-day retention, quarterly restore drills.
- All admin access to production gated by SSO + hardware-key MFA.
- Annual penetration test by an independent third party (report available to Enterprise customers under NDA).
For our full Data Processing Agreement (DPA), audit reports, or security questionnaire responses, email [email protected].